Virus

How can i delete it? Im new to avast.

What was the name and location of the file detected, and what was it detected as?

You can get this information from the avast! log.

hey and welcome to the forum Ashleybb.

what have avast detected?
where have it detected it?

have you try send it to the chest where it can not harm your computer?

you can also try MBAB and SAS and see if they can solve your problem.

http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/

Don’t forget to update before scanning with SAS and MBAB.

good luck and write back if you get any problem or just need more help.

[font=Segoe UI] Hi Ashleybb,

It would be faster to have two topics active but would be a duplication of effort in our side. Please consider sticking to your topic here.

31/10/2009 13:17:25 SYSTEM 1664 Sign of "Win32:Spyware-gen [Spy]" has been found in "http://tigerden.uppit.com/save/ee7bc86dcb761bfcd9f9526d7f37fd14/4aec384d/0209/g8d2bplj/MASSACREDWORLD.ZIP.zip\.RunServer.exe" file.
31/10/2009 13:17:25 SYSTEM 1664 Sign of "Win32:Spyware-gen [Spy]" has been found in "http://tigerden.uppit.com/save/ee7bc86dcb761bfcd9f9526d7f37fd14/4aec384d/0209/g8d2bplj/MASSACREDWORLD.ZIP.zip\.RunServer.exe" file.

Thats the file.

Hi Ashleybb,

Make the malware links non-clickable like with using hxtp or wXw.

The website that you mention has a Suspicious Inline Script on it:

Script outside of … block
top.location.replace(“ht^p://uppit.com”);

Location of the site is USA:
Reported Threats: 3

Name of threat: W32.IRCBot.Gen
Location: hxtp://tigerden.uppit.com/save/c7914dc531441e31b3e536e14644c5f5/4ad8aa2f/0209/cim50mc2/Internet_Explorer.exe

Name of threat: Backdoor.Trojan
Location: htxp://tigerden.uppit.com/save/6b489270409724656eeb8c9bfcfd6933/4ad8a9d9/0209/o8k5j8ne/2.1_XR_Bot.exe

Name of threat: Trojan Horse
Location: hxtp://tigerden.uppit.com/save/32f199b6f05c962a87d2e2072f491289/4adbd258/0209/bxrclapy/server.exe

and for the link you mentioned I get “There was a network error accessing the requested URL: 408”
that means “Destination Set Exhausted”…

polonus

I imagine that the link dead ends because of the backslash switch, which I think is avast’s way of letting you know which file it is that is infected within the double zip file…at least that’s how I understand it…

…/MASSACREDWORLD.ZIP.zip.RunServer.exe

-Scott-

Hi spgSCOTT,

Good observation there even in alerting avast will keep the flak off, ta…

I think the malware is this:
http://www.prevx.com/filenames/X263214202504027998-X1/RUNSERVER.EXE.html

And it became flagged because there was a SC keylog dropper hidden…
compile.exe and runserver.exe both infected with a SC keylog dropper, nice attempt from the malcreant to hide it from virus scanners by password protecting and encrypting the zip file…

See the malcode cocktail here:

[ Changes to filesystem ]

  • Creates directory C:.
  • Creates directory C:\WINDOWS.
  • Creates directory C:\WINDOWS\TEMP.
  • Deletes file C:\WINDOWS\TEMP\open8999.tmp.
  • Creates file C:\WINDOWS\TEMP\compile.bat.
  • Creates file C:\WINDOWS\TEMP\zzzz.exe.
  • Creates file C:\WINDOWS\SYSTEM32\iexplorer.exe.
  • Creates file C:\WINDOWS\SYSTEM32\iexplorer.dll.

[ Changes to registry ]

  • Creates key “HKLM\Software\Microsoft”.
  • Creates key “HKLM\Software\Microsoft\Windows”.
  • Creates key “HKLM\Software\Microsoft\Windows\CurrentVersio n”.
  • Creates key “HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n”.
  • Sets value “iexplorer”="C:\WINDOWS\SYSTEM32\iexplorer.exe " in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n”.

[ Process/window information ]

  • Attemps to open C:\WINDOWS\TEMP\compile.bat C:\WINDOWS\TEMP.
  • Attemps to open C:\WINDOWS\TEMP\zzzz.exe C:\WINDOWS\TEMP.
  • Attemps to open C:\WINDOWS\SYSTEM32\iexplorer.exe NULL.

[ Signature Scanning ]

  • C:\WINDOWS\TEMP\compile.bat (59 bytes) : no signature detection.
  • C:\WINDOWS\TEMP\zzzz.exe (78022 bytes) : W32/SCKeyLog.V.

pol

No problem :slight_smile:

nice attempt from the malcreant to hide it from virus scanners by password protecting and encrypting the zip file...

Well, that worked… :wink: